Malware Traffic Analysis Dot Net Series ASCOLIMITED (Video Only)
The writeups will be a series to document my learning experience with Wireshark and IR report writing for the malicious traffic from Malware-Traffic-Dot-Net, hope you will enjoy it :)
Note, this series will be video only :)
Malware Traffic Analysis Dot Net Series ASCOLIMITED Video Walkthrough
Scenario
LAN segment data:
LAN segment range: 10.2.8.0/24 (10.2.8.0 through 10.2.8.255)
Domain: ascolimited.com
Domain controller: 10.2.8.2 - AscoLimited-DC
LAN segment gateway: 10.2.8.1
LAN segment broadcast address: 10.2.8.255My IR Report
Executive Summary:
At 2021-02-08 15:59:12 UTC, the user bill.cook on the workstation MGVG60Z was infected by the malwares.
Victim:
IP: 10.2.8.101
Hostname: DESKTOP-MGVG60Z.ascolimited.com
MAC:Source: DESKTOP-MGVG60Z.ascolimited.com (00:12:79:41:c2:aa) - HP Workstation
Account Name: bill.cook
IOC:
IP:
198.211.10.238
213.5.229.12 - satursed.com
54.235.147.252 - elb097307-934924932.us-east-1.elb.amazonaws.com
8.208.10.147 - roanokemortgages.com
185.100.65.29 - sweyblidian.com
162.241.149.195 - key.xn--nvigators-key-if2g.com
45.124.85.55 - tonmatdoanminh.com
- https://key.xn--nvigators-key-if2g.com/ktt/cmd/logon0208_54741869750132.doc
Hash:
94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1 - 6lhjgfdghj.exe
e519c1e99f21fbc6754e2ed9ef38a12684d506617229b4ca87fcff86f6838250 - 6Aov
ee33a8fa2ae6f6b9366c97ed4c00c2796d98a371249dca725a01aca03caf747b - 0801.bin
7af0dc117d2dcd112f50889c4c8a14ac9ee55c2525a24fa66ff9a89b480b7e99 - 0801s.bin